Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four countries have fallen victim to a sophisticated spear-phishing and malware campaign known as Operation Emmental.

The malware campaign is appropriately named after a type of Swiss cheese because it appears that is just what the Android system is at the moment -- full of holes. Security firm Trend Micro Senior Threat Researcher Davis Sancho recently discovered the criminal operation that works to overcome session tokens to do its dirty work. Essentially, he explained, the criminal gang targets banks that use session tokens sent through text messaging.

“This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number,” Sancho explained. “Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.”

Rogue SSL Root Ploy

Sancho explains that cybercriminals spam users from those countries with e-mails spoofing well-known online retailers. The users click malicious links or attachments and their computers get infected with malware. So far, he said, all this is fairly typical and from a perspective, a bit boring.

“But here’s where it gets interesting. The users’ computers don’t really get infected -- not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself,” he said. “How’s that for an undetectable infection? The changes are small . . . but have big repercussions.”

Drilling into the mechanics, Sanchos said it works by changing the DNS settings of users' computers to point to a foreign server the cybercriminals control. Next, the malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they don't see any security warnings.

“Now, when users with infected computers try to access the bank’s Web site, they are instead pointed to a malicious site that looks like that of their bank,” he said. “So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.”

Elaborate and Complicated

We caught up with Lamar Bailey, director of security research at Tripwire, to get his take on the malware. He told us this is a very elaborate and complicated phishing attack.

“A user must click on a phishing e-mail then install a third-party app to be vulnerable to attack. The malware used in the first stage is very sneaky because it changes the DNS server and SSL certificate settings then removes itself,” he said. “Most users will never go check these setting after the computer is first set up.”

We also asked Tim Erlin, Tripwire's director of IT security and risk strategy, for his thoughts on the topic. He told us there’s a story behind the story.

“While the news story here is about an attack on European banks, the real challenge is increasingly that organizations are only as secure as their most insecure user,” Erlin said. “Very simply, the banks can and will continue to build security into the interfaces to their customers, but they can’t build security into the customers themselves.”